Introduction
In January 2025 [2] [3] [4] [6] [10], a sophisticated malware campaign named Winos 4.0 was discovered, targeting organizations in Taiwan through phishing emails [1] [2] [3] [5] [6] [8]. These emails impersonated the National Taxation Bureau [1] [3] [4] [5] [8] [9] [10], aiming to deceive recipients into downloading malicious files. This campaign represents a significant evolution from previous attacks, utilizing advanced techniques to compromise systems and extract sensitive information.
Description
In January 2025 [2] [3] [4] [6] [10], a sophisticated malware campaign known as Winos 4.0 was identified, specifically targeting organizations in Taiwan through phishing emails that impersonated the National Taxation Bureau [1] [3] [5] [10]. Discovered by FortiGuard Labs [3], these emails claimed to include lists of companies scheduled for tax inspections [9] [10], urging recipients to download an attached ZIP file that concealed malicious DLL files disguised as legitimate tax inspection documents. This campaign marks a notable shift from previous attacks that employed malicious game-related applications. The attachments included a malicious DLL named “lastbld2Base.dll,” which facilitates the execution of shellcode designed to download additional Winos 4.0 modules from external servers, including one identified with the IP address 206.238.2221.
The attack methodology involved phishing emails mimicking government communication [3], with attached files containing executable files that [3], when executed, downloaded Winos 4.0 from a command-and-control (C2) server [2] [3] [6]. The malware specifically targets Microsoft Windows platforms and employs a sequence of executable and dynamic link library (DLL) files [10], including 20250109.exe [10], ApowerREC.exe [10], and lastbld2Base.dll [9] [10]. The initial executable acts as a launcher for the fake ApowerREC.exe [10], which executes functions from the lastbld2Base.dll [10]. This DLL decrypts and executes shellcode that includes configuration data [10], such as the C2 server address, and implements features like permission escalation and anti-sandbox techniques [10].
Winos 4.0 establishes persistence on the infected system by creating a copy of the malware as a Windows service and modifying registry keys. It bypasses User Account Control (UAC) and performs various malicious activities, including extensive surveillance capabilities such as keylogging, screen capturing [2] [3] [6] [7], and clipboard monitoring [2] [3] [6] [7] [9]. The malware operates stealthily by embedding its payload within registry keys [2], complicating detection efforts [2] [3] [6]. It can also disable security software and network connections [10], actively monitoring user activity and logging USB device insertions and removals.
Key components of Winos 4.0 include:
- MainThread: Ensures persistence [3], prevents system sleep [3] [6], and disables security prompts [2] [3] [6].
- Screenshot: Captures images of sensitive applications like WeChat and online banking.
- Keylog: Records keystrokes and clipboard activity.
- USB Monitoring: Logs USB device insertions and removals.
- Anti-AV Measures: Disables security software and bypasses User Account Control (UAC).
Experts highlight the attack’s exploitation of human psychology [3], using urgency and curiosity related to tax documents to increase the likelihood of recipients downloading the malicious file [3]. The malware utilizes several MITRE techniques [11], including command and control communication via HTTP/S [11], exploitation of recipient systems through malicious document attachments [11], and keylogging to capture sensitive user information [11]. The campaign is associated with the Silver Fox APT and employs compromised software to deliver additional malware [7], such as keyloggers and cryptocurrency miners [7]. Additionally, the Winos 4.0 attack chains include a Clversoar installer [9], which is distributed as fake software or gaming-related applications [9], and checks the user’s language settings to ensure they are set to Chinese or Vietnamese [9], terminating the installation if the language is unrecognized [9].
Indicators of compromise associated with this malware include specific IP addresses (43.137.42.254, 206.238.221.60) [11], domains (9010.360sdgg.com, 1234.360sdgg.com) [11], and a unique hash (36afc6d5dfb0257b3b053373e91c9a0a726c7d269211bc937704349a6b4be9b90e3c9af7066ec72406eac25cca0b312894f02d6d08245a3ccef5c029bc297bd267395af91263f71cd600961a1fd33ddc222958e83094afdde916190a0dd5d79cf4d3477a19ff468d234a5e39652157b2181c8b51c754b900bcfa13339f577e7cc9a8db23d089aa71466b4bde51a51a8cfdcc28e8df33b4c63ce867bd381e5fe5) [11].
Recommendations for organizations include keeping antivirus databases updated [2] [3], educating employees about phishing threats [2] [3], avoiding unsolicited emails [10], and implementing multi-layered protection strategies that combine user education with advanced threat detection technologies [2] [3]. Additionally, organizations are advised to use managed file transfer systems that require registration and approval while blocking ZIP attachments [2], avoid opening compressed file attachments [10], and enable real-time scanning to detect potential malware [10]. Ongoing monitoring and threat intelligence sharing are essential for mitigating such threats. The attack represents one of the most sophisticated cyber threats, necessitating a proactive approach to cybersecurity, including monitoring system behavior and avoiding unprotected remote connections.
Conclusion
The Winos 4.0 malware campaign underscores the evolving nature of cyber threats, highlighting the need for robust cybersecurity measures. Organizations must remain vigilant, employing comprehensive strategies to protect against such sophisticated attacks. By prioritizing employee education, maintaining updated security systems, and fostering collaboration in threat intelligence, organizations can better safeguard their systems and data against future threats.
References
[1] https://cyber.vumetric.com/security-news/2025/02/27/silver-fox-apt-uses-winos-4-0-malware-in-cyber-attacks-against-taiwanese-organizations/
[2] https://osintcorp.net/winos-4-0-malware-targets-taiwan-with-email-impersonation/
[3] https://www.infosecurity-magazine.com/news/winos-40-malware-targets-taiwan/
[4] https://www.fortinet.com/blog/threat-research/winos-spreads-via-impersonation-of-official-email-to-target-users-in-taiwan
[5] https://ciso2ciso.com/silver-fox-apt-uses-winos-4-0-malware-in-cyber-attacks-against-taiwanese-organizations-sourcethehackernews-com/
[6] https://ciso2ciso.com/winos-4-0-malware-targets-taiwan-with-email-impersonation-source-www-infosecurity-magazine-com/
[7] https://www.hendryadrian.com/silver-fox-apt-uses-winos-4-0-malware-in-cyber-attacks-against-taiwanese-organizations/
[8] https://galileosg.com/2025/02/27/silver-fox-apt-uses-winos-4-0-malware-in-cyber-attacks-against-taiwanese-organizations/
[9] https://www.techidee.nl/silver-fox-apt-gebruikt-winos-4-0-malware-bij-cyberaanvallen-tegen-taiwanese-organisaties/20145/
[10] https://hackread.com/hackers-impersonate-taiwans-tax-authority-winos-4-0-malware/
[11] https://www.hendryadrian.com/winos-4-0-spreads-via-impersonation-of-official-email-to-target-users-in-taiwan/
